Arthur Deane is a Senior Director at Capital One Financial, where he leads cybersecurity activities in the Card division. He is also the co-author of the Official (ISC)² CISSP CBK Reference, 6th edition. In this interview with Help Net Security, he discusses the book as well as certification in general.
You are the co-author of the Official (ISC)² CISSP CBK Reference, now in it’s 6th edition. How long did it take to write and what were the biggest challenges?
I wrote my first words for the book at the end of 2020 and we just published in September 2021; so the process took nearly a year, with most of that time being writing fresh content, reviewing editor feedback, and making necessary updates. There’s a LOT that goes into writing a book – especially a technical reference.
One of the biggest challenges was finding a good balance between providing enough detail without adding unnecessary information. Fortunately, I had a great co-author and an excellent team of editors who helped strike that balance. Another big challenge was meeting very tight deadlines when all of my writing had to occur outside of normal business hours due to my primary job.
What kind of research did you need to do, and how long did you spend researching for the book?
Research is a large part of writing this type of book. Even if I knew something about each topic in the CISSP CBK, I wouldn’t have been able to write a fully detailed reference guide that covers all of those topics without a great deal of research. So, I relied on research to go deeper into some of the meatier topics.
I spent at least a week researching each domain before even writing one word. This included reading various publications, scholarly articles, and notes that I’ve taken over the years. Once I began to write a chapter, I’d often have to iterate on my research when I felt that I was light on details. Needless to say I learned a lot working on this book.
How has the material changed from the previous edition of the book? Were there any surprises?
One of the biggest changes we made was directly aligning each chapter with the newest CISSP Exam Outline; we did this because we felt it would make finding information a bit more straightforward.
We’ve also listened to feedback about previous editions of the book and cut back on some of the material that working CISSPs find less useful; we removed some of the older, less relevant laws and regulations and added more topics that a modern, global organization would find helpful.
Since we wrote this book while experiencing a once-in-a-lifetime pandemic, you’ll find many tidbits throughout the book that make it very relevant to securely operating in fully remote or hybrid environments.
There are many books and resources dedicated to (ISC)² certifications. What makes this book a good choice? What differentiates it from others?
The Official (ISC)² CISSP CBK Reference has stood the test of time, and each edition continues to evolve alongside the CISSP CBK and CISSP Exam Outline. It is one of the only reference guides that serves as a one-stop-shop for all topics within the CISSP CBK, and it is the only such reference guide that (ISC)² puts the “official” title on.
In other words, (ISC)² rigorously reviewed each page of this book and put their name behind it. My co-author, Aaron Kraus and I used several decades of experience to inform which topics belong in a reference guide for working security professionals. This new edition balances breadth and depth while minimizing extraneous information.
What certifications do you have? How have they helped you in your career?
In addition to the CISSP, I maintain the CCSP credential from (ISC)², and I wrote CCSP for Dummies in 2020. I’ve also achieved the Certified Ethical Hacker (CEH) certification and several GIAC certifications; namely the GIAC Certified Forensics Examiner (GCFE), GIAC Certified Incident Handler (GCIH), and GIAC Continuous Monitoring Certification (GMON). Earlier in my career, I would actively study for at least two new certifications every year.
What I discovered was that the process of studying for a certification is even more beneficial than achieving the certification itself. For example, studying for the GCFE came during a time when I was engaged in various incident response activities; learning and practicing digital forensics added another dimension to my incident handling, which allowed me to connect textbook material to real-world scenarios in my job.
Overall, certifications (including the studying and practicing that comes with them) have helped me learn new skills and experience many different parts of the broad information security field; that has helped me become a more well-rounded security leader today.